Attackers will win so what can you do?

The cat and mouse game you’re playing to protect your network against the enmity of motivated attackers is perilous.  You’re going to lose. (more and more 0day is coming: see Bejtlich's summary at the bottom of his post for Black Hat Day 1 '07 or Immuntiy Sec's recent presentation which makes a nice point, "Our time to exploit is shorter than your ability to patch")


The problem is you have to play if you want to be connected. Playing then is about choosing the best strategy, or the dominant strategy if one exist. I think there is a dominant strategy for securing your network - traffic analysis (augmented with content & context when available).


From the game theory book Thinking Strategically:

In general, a player has a dominant strategy when he has one course of action that outperforms all others no matter what the other players do.  If a player has such a strategy, his decision becomes very simple: he can choose the dominant strategy without worrying about the rival’s moves.  Therefore it is the first thing one should seek.

Traffic analysis (augmented with content & context) is the best solution when you want pervasive security (i.e. proactive in identifying all types of normal and anomalous activities and strong incident response support due to having the history of communications)


Let me make the point that I do not think traffic analysis in isolation is the winning strategy, but it is a winner when combined with other data freely available on your network. And because I'm tackling this from a defensive perspective (i.e. you have ownership of the network you're protecting), then I'm assuming you get extra defensive observation muscle - snippets of content and context parceled and sent to you by services like syslog.


To take a step back, wikipedia defines traffic analysis as the process of intercepting and examining messages in order to deduce information from patterns in communication. That means learning what's going on from only analyzing the metadata surrounding communication (e.g. the sender, the receiver, the time and length of messages, etc.).

It's amazing what traffic analysis can uncover. Taken from Blink:

The Germans were [in WW II], of course, broadcasting in code, so - at least in the early part of the war - the British couldn't understand what was being said. But that didn't necessarily matter, because before long, just by listening to the cadence of the transmission, the interceptors began to pick up on the individual fists of the German operators, and by doing so, they knew something nearly as important, which was who was doing the sending. [..] After they identified the person who was sending the message, the interceptors would the locate their signal. So now they knew something more. They new who was where.

This goes on and is only a glimpse of what can be learned of course. In IT security, then you can imagine it's possible to:

  • uniquely identify all users on a network only by observing patterns (e.g. quirks about how a user types on a keyboard, command sequences a user typically executes, patterns on how they peruse Internet and Intranet sites, plus 100s or 1000s of additional ways)
  • to always identify an attacker by observing that nothing the attacker is doing matches any known trusted users' patterns

At Blackhat '07, a presentation on traffic analysis had a slide titled "Why do this?", which speaks to the advantages of traffic analysis (I added stuff between []):

  • crypto [i.e. you can't see the content anyways]
  • too much data, already [i.e. the need to aggregate and summarize]
  • it's easier than analyzing everything
  • it's hard to evade [i.e. you'll either catch the attacker or possess the data to reconstruct communication paths]

Now extending traffic analysis with relevant content and context data (syslog, authentication logs, alerts from point products, etc.) allows for very powerful detection for all types of attacks, likely with much greater precision and breadth of coverage versus doing anything else (or relying on a mix of prevention focused systems). Hence, the reason why I think it is a dominant strategy for pervasive security.

There is a major challenge in analyzing all this related information though, which is called the curse of dimensionality. I'll save that one for later.

 

Posted by tate 06/08/2007 at 08h36

Read full article 2 comments


Comments

  1. dre 10/08/2007 at 18h59

    I’m not convinced. Don’t the adversaries know that traffic analysis exists? I would assume yes.

    There are plenty of tricks at the network layer, and many attacks are going multi-channel now. Say the adversary uses ncovert or nushu or gray-world.net `cooking with covert channels’? Pretend there is a tool out there that implements command and control via the ncovert/nushu concepts but the traffic looks just like the update functionality of the operating system under rootkit control? What about P2P traffic? IM traffic? DNS traffic?

    What do you do when attacks vectors utilize man-in-the-browser? Say an adversary re-writes the Javascript eval function to evade filters so that their malware payload can be whitespace obfuscated?

    I tried sniffing whitespace once. Wait, no - that was WhiteOut(tm). Same difference; both were completely pointless.

  2. Tate Hansen 13/08/2007 at 19h06

    Yes, I would assume adversaries know that traffic analysis exists, or at least it’s good we assume they do.

    So, for argument’s sake, an attacker trying to evade a “strong” traffic analysis system would have to nearly perfectly profile everything he was trying to use subversively.

    If he fails to always covertly communicate throughout a victims’ domain following “normal” patterns of activity then he can be exposed.

    So if the attacker hasn’t “learned” to communicate using the same patterns of frequency, duration, packets sizes, etc., then he can be caught.